ejabberd - Comments for "mod_shared_roster_ldap - LDAP Shared Roster Management" https://www.ejabberd.im/mod_shared_roster_ldap en roster based on ou https://www.ejabberd.im/mod_shared_roster_ldap#comment-67506 <p>Hi,</p> <p>Anybody can explain me how to populate a roster for every user with my user in my OU?</p> <p>I really don't understand this mod.</p> <p>Authent is ok, we've set mod_shared_roster_ldap: and mod_roster is already activated.</p> <p> mod_shared_roster_ldap:<br /> ldap_base: "ou=Internal,ou=Users,dc=xxxxxxx,dc=xxx"<br /> ldap_rfilter: "(&amp;(objectClass=inetOrgPerson)(ou)"<br /> ldap_filter: ""<br /> ldap_userdesc: "displayName"</p> <p>what did i miss ?</p> Tue, 06 Jun 2017 10:11:14 +0000 kiki comment 67506 at https://www.ejabberd.im I'm sorry, I'm bumping this. https://www.ejabberd.im/mod_shared_roster_ldap#comment-66074 <p>I'm sorry, I'm bumping this. Has *anyone* got this to work with spaces in CN's and nested groups as containers?</p> Tue, 08 Sep 2015 15:01:34 +0000 3coma3 comment 66074 at https://www.ejabberd.im shared_roster_ldap (Active DIrector) all users appear as offline https://www.ejabberd.im/mod_shared_roster_ldap#comment-66020 <p>Hi, please forgive me is this isn't the right place to ask. I've been struggling two days straight to get dynamic shared rosters from Active Directory to work correctly. I msut mention that our DIT is years long and therefore I can't make many big changes, I have to use what is there.</p> <p>We have two groupings: one for quick overview when managing the tree and for Policy propagation, disposed in coarse OUs. The other one, which is used for the more granular tasks of security mappings in storage, and for mail distribution lists is based on Security and Distribution Groups, of which many are nested. Users and groups that should have mail (and now XMPP) have their <em>mail</em> fields populated with their <em>sAMAccountName@our.domain.com.</em>.I have to get the users and groups from the groups, not from the OUs.</p> <p>My ejabberd authenticates with LDAP to the Active Directory, Vcard information is also pulled from there. These two things are working seamlessly from the start. The non-LDAP shared rosters also worked fine when testing (except for @all@).</p> <p>The trouble with shared_roster_ldap was that it didn't handle CN's containing spaces, *every* CN here is "FirstName Lastname". Finally solved it by making the module to connect to a local OpenLDAP proxy that maps and rewrites every entry in the <em>member</em> attributes, making another request with the DN and replacing it with the values of <em>sAMAccountName</em>s. In the mapping the attribute itself is renamed to <em>uid</em>. All this is transparent to the module, which sees a member attribute that contains a list of uids with usernames.</p> <p>Right when the mapping was up, the roster was populated from Active Directory with all users and groups, and the Vcards are correct for every entry.</p> <p>But the problem is that now I see every user offline, even if they are connected</p> <p>I don't get it. When I was testing mod_shared_roster, I added <em>sAMAccountName@our.domain.com.</em> and it worked correctly. Now the same is shown in the list but the status isn't updated. When I browse the address with Psi+ It shows it, along with other JIDS that have some kind of ID appended after the domain. I guess this is related to the real problem, but I don't see in what way (or how can I solve it).</p> <p>Could you please help me to get it finally working?</p> Fri, 21 Aug 2015 02:07:35 +0000 3coma3 comment 66020 at https://www.ejabberd.im mod_shared_roster_ldap doesn't work...i guess https://www.ejabberd.im/mod_shared_roster_ldap#comment-65197 <p>Hello.</p> <p>I've successfully installed ejabberd from Ubuntu 14.04 repo and configured authentication against Active Directory on Windows Server 2012. My problem is that mod_shared_roster_ldap seems not working properly. It is strange but it doesn't work when mod_shared_roster is down, when I uncommented line with mod_shared_roster users appered on contact list. Every changes that I make in mod_shared_rosted_ldap don't do anything even when I commented mod_shared_roster_ldap with everything that is included in it users (only usernames like for ex. user.name) still appear on roster - is it normal? My goal is to authenticate users against AD and have roster with them, not with usernames but with people names. Any suggestions ?</p> Fri, 02 Jan 2015 13:15:46 +0000 ppk comment 65197 at https://www.ejabberd.im Re: ufilter is not applied for roster and groupmembers https://www.ejabberd.im/mod_shared_roster_ldap#comment-63322 <p>Stock mod_shared_roster_ldap still has a weird requirement that the result of ldap_memberattr be the user part of JID.</p> <p>If the optional parameter ldap_auth_check is on (default), then each ldap_memberattr result is combined with current ejabberd domain to make full JID, and checked for existence (using auth) before processing any further. That's what is happening in your case.</p> <p>You may try to set ldap_auth_check to off. But this doesn't guarantee success. Some time ago, the code of ufilter did another weird check that ufilter gave the same thing that ldap_memberattr did. I have not looked into the original source code for quite a long time, so maybe there are some fixes that would allow you to succeed, or maybe not.</p> Fri, 31 Jan 2014 22:22:31 +0000 mikekaganski comment 63322 at https://www.ejabberd.im ufilter is not applied for roster and groupmembers https://www.ejabberd.im/mod_shared_roster_ldap#comment-63273 <p>Hi, </p> <p>we've setup ejabberd for our team delivered with Ubuntu 12.04 LTS (ejabberd v2.1.10). </p> <p>Currently we try to created shared rosters based on LDAP for the Team and several projects, but have no success to get the ldap_ufilter applied to the members detected by the gfilter. </p> <p>Did you have any hint for me what's going wrong there? </p> <p>Here's a example of the LDAP Structure we use + the ldap and mod_shared_roster_ldap module:</p> <p><strong>LDAP Structure</strong></p> <div class="codeblock"><code>### OU with all users ##########################################<br />dn: ou=users,dc=lnxcim,dc=example,dc=com<br />objectClass: organizationalUnit<br />ou: users<br />description: OU for all Company Users<br />################################################################ <p>### User Entries example #######################################<br />dn: uid=x00008,ou=users,dc=lnxcim,dc=example,dc=com<br />objectClass: inetOrgPerson<br />objectClass: organizationalPerson<br />objectClass: person<br />objectClass: posixAccount<br />objectClass: shadowAccount<br />objectClass: top<br />cn: Musterfrau, Petra<br />gidNumber: 1000<br />homeDirectory: /home/x00008<br />sn: Musterfrau<br />uid: x00008<br />uidNumber: 10012<br />givenName: Petra<br />loginShell: /bin/bash<br />mail: <noindex><a href="mailto:Petra.Mustermann@example.com" rel="nofollow" >Petra.Mustermann@example.com</a></noindex><br />shadowMax: 16111<br />telephoneNumber: +49 XXXX XXXXXXXX</p> <p>dn: uid=x00076,ou=users,dc=lnxcim,dc=example,dc=com<br />objectClass: inetOrgPerson<br />objectClass: organizationalPerson<br />objectClass: person<br />objectClass: posixAccount<br />objectClass: shadowAccount<br />objectClass: top<br />cn: Mustermann, Max<br />gidNumber: 1000<br />homeDirectory: /home/x00076<br />sn: Mustermann<br />uid: x00076<br />uidNumber: 10065<br />givenName: Max<br />loginShell: /bin/bash<br />mail: <noindex><a href="mailto:Max.Mustermann@example.com" rel="nofollow" >Max.Mustermann@example.com</a></noindex><br />shadowMax: 16382<br />telephoneNumber: +49 XXXX XXXXXXXX<br />################################################################</p> <p>### OU with Jabber Groups ######################################<br />dn: ou=jabber,ou=services,dc=lnxcim,dc=example,dc=com<br />objectClass: organizationalUnit<br />objectClass: top<br />ou: jabber<br />################################################################</p> <p>### Jabber Groups ##############################################<br />dn: cn=CIM2,ou=jabber,ou=services,dc=lnxcim,dc=example,dc=com<br />objectClass: extensibleObject<br />objectClass: posixGroup<br />objectClass: top<br />cn: CIM2<br />gidNumber: 1012<br />description: Team: CIM2<br />info: jabbergroup<br />memberUid: x00008<br />memberUid: x00076<br />################################################################</p></code></div> <p><strong>ejabberd configuration</strong></p> <div class="codeblock"><code>#### may relevant parameters for ldap auth ##################### <p>{auth_method, ldap}.<br />{ldap_servers, [&quot;localhost&quot;]}.<br />{ldap_base, &quot;dc=lnxcim,dc=example,dc=com&quot;}.<br />{ldap_uids, [{&quot;mail&quot;, &quot;%u@%d&quot;}]}.<br />{ldap_filter, &quot;(objectClass=posixAccount)&quot;}.</p> <p>################################################################</p> <p>### mod_shared_roster_ldap config ##############################</p> <p>&nbsp;&nbsp; {mod_shared_roster_ldap,[<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {ldap_base, &quot;dc=lnxcim,dc=example,dc=com&quot;},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {ldap_filter, &quot;&quot;},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {ldap_rfilter, &quot;(&amp;(objectClass=posixGroup)(objectClass=extensibleObject)(info=jabbergroup))&quot;},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {ldap_groupattr, &quot;cn&quot;},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {ldap_gfilter, &quot;(&amp;(objectClass=posixGroup)(objectClass=extensibleObject)(info=jabbergroup)(cn=%g))&quot;},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {ldap_groupdesc, &quot;description&quot;},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {ldap_memberattr, &quot;memberUid&quot;},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {ldap_ufilter, &quot;(&amp;(objectClass=inetOrgPerson)(uid=%u))&quot;},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {ldap_useruid, &quot;uid&quot;},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {ldap_userdesc, &quot;cn&quot;}<br />&nbsp; ]},</p> <p>################################################################</p></code></div> <p>With this I've got the following output on loglevel 5. </p> <p><strong>ejabberd log</strong></p> <p>* find the query for roster filter</p> <div class="codeblock"><code>=INFO REPORT==== 2014-01-27 21:02:31 ===<br />D(&lt;0.455.0&gt;:eldap:696) : {searchRequest,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;SearchRequest&#039;,&quot;dc=lnxcim,dc=example,dc=com&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wholeSubtree,neverDerefAliases,0,5,false,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;and&#039;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [{equalityMatch,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;AttributeValueAssertion&#039;,&quot;objectClass&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &quot;posixGroup&quot;}},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {equalityMatch,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;AttributeValueAssertion&#039;,&quot;objectClass&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &quot;extensibleObject&quot;}},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {equalityMatch,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;AttributeValueAssertion&#039;,&quot;info&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &quot;jabbergroup&quot;}}]},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [&quot;cn&quot;]}}</code></div> <p>* see the result of the roster filter:</p> <div class="codeblock"><code>=INFO REPORT==== 2014-01-27 21:02:31 ===<br />D(&lt;0.455.0&gt;:eldap:767) : {searchResEntry,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;SearchResultEntry&#039;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &quot;cn=CIM2,ou=jabber,ou=services,dc=lnxcim,dc=example,dc=com&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [{&#039;PartialAttributeList_SEQOF&#039;,&quot;cn&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [&quot;CIM2&quot;]}]}} <p>=INFO REPORT==== 2014-01-27 21:02:31 ===<br />D(&lt;0.455.0&gt;:eldap:767) : {searchResDone,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;LDAPResult&#039;,success,[],[],asn1_NOVALUE}}</p></code></div> <p>* find the query of the gfilter:</p> <div class="codeblock"><code>=INFO REPORT==== 2014-01-27 21:02:31 ===<br />D(&lt;0.455.0&gt;:eldap:696) : {searchRequest,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;SearchRequest&#039;,&quot;dc=lnxcim,dc=example,dc=com&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wholeSubtree,neverDerefAliases,0,5,false,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;and&#039;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [{equalityMatch,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;AttributeValueAssertion&#039;,&quot;objectClass&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &quot;posixGroup&quot;}},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {equalityMatch,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;AttributeValueAssertion&#039;,&quot;objectClass&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &quot;extensibleObject&quot;}},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {equalityMatch,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;AttributeValueAssertion&#039;,&quot;info&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &quot;jabbergroup&quot;}},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {equalityMatch,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;AttributeValueAssertion&#039;,&quot;cn&quot;,&quot;CIM2&quot;}}]},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [&quot;cn&quot;,&quot;description&quot;,&quot;memberUid&quot;]}}</code></div> <p>* result of gfiler with ldap_memberattr = memberUid </p> <div class="codeblock"><code>=INFO REPORT==== 2014-01-27 21:02:31 ===<br />D(&lt;0.455.0&gt;:eldap:767) : {searchResEntry,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;SearchResultEntry&#039;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &quot;cn=CIM,ou=jabber,ou=services,dc=lnxcim,dc=example,dc=com&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [{&#039;PartialAttributeList_SEQOF&#039;,&quot;cn&quot;,[&quot;CIM&quot;]},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;PartialAttributeList_SEQOF&#039;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &quot;description&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [&quot;Team: CIM&quot;]},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;PartialAttributeList_SEQOF&#039;,&quot;memberUid&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [&quot;x00076&quot;,&quot;x00008&quot;]}]}} <p>=INFO REPORT==== 2014-01-27 21:02:31 ===<br />D(&lt;0.455.0&gt;:eldap:767) : {searchResDone,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;LDAPResult&#039;,success,[],[],asn1_NOVALUE}}</p></code></div> <p>* here I guess the ufilter should be applied it doesn't, so we got never a match of memberUid with uid=%u</p> <div class="codeblock"><code>=INFO REPORT==== 2014-01-27 21:02:31 ===<br />D(&lt;0.287.0&gt;:eldap:696) : {searchRequest,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;SearchRequest&#039;,&quot;dc=lnxcim,dc=example,dc=com&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wholeSubtree,neverDerefAliases,0,0,false,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;and&#039;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [{equalityMatch,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;AttributeValueAssertion&#039;,&quot;mail&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &quot;x00076@example.com&quot;}},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {equalityMatch,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;AttributeValueAssertion&#039;,&quot;objectClass&quot;,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &quot;posixAccount&quot;}}]},<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [&quot;mail&quot;]}}</code></div> <p>* Result: no match since this is not my ufilter????<br /> * instead it's matched for mail-address created out of the "memberUid"+@+"Domain"</p> <div class="codeblock"><code>=INFO REPORT==== 2014-01-27 21:02:31 ===<br />D(&lt;0.287.0&gt;:eldap:767) : {searchResDone,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {&#039;LDAPResult&#039;,success,[],[],asn1_NOVALUE}}</code></div> <p>Did you have any hints or idea why this happens? </p> <p>How can I get the users data from PosixAccount member within a PosixGroups? </p> <p>Thank you very much for any help here!<br /> Sebastian</p> Mon, 27 Jan 2014 20:55:30 +0000 kriegerse comment 63273 at https://www.ejabberd.im Filtering groups by membership https://www.ejabberd.im/mod_shared_roster_ldap#comment-62645 <p>Is there a way to filter groups avaliable to the user to only those he is a member of?</p> <p>If so how it can be done?</p> Tue, 07 Jan 2014 07:42:19 +0000 pafcio00 comment 62645 at https://www.ejabberd.im Re: more than one ldap server or rootdn in shared roster https://www.ejabberd.im/mod_shared_roster_ldap#comment-59313 <div class="quote-msg"> <div class="quote-author"><em>mikekaganski</em> wrote:</div> <p>1. msrl should be able to run successfully with per-vhost configuration. If it does not, it should be considered a bug. But in this case, you get different shared rosters for different vhosts.<br /> 2. It is impossible in current msrl. In theory, it is possible to modify it so that it would become possible to get users from different directories, but in this configuration, it would be impossible to keep the overall phylosophy of this module: to get all needed information from LDAP. It would be possible only to show all users from all servers to each other, while there would be no easy way to restrict one's shared roster groups to some subset of groups from server a + some groups from server b + ... So it seems impractical to modify msrl this way.</p></div> <p>we did openldap with slapd-meta+slapd-pcache.<br /> it makes visual all ldap servers as one.</p> Mon, 17 Dec 2012 13:25:05 +0000 devil_inside comment 59313 at https://www.ejabberd.im Re: ldap timeouts with using msrl https://www.ejabberd.im/mod_shared_roster_ldap#comment-59295 <div class="quote-msg"> <div class="quote-author"><em>mikekaganski</em> wrote:</div> <div class="quote-msg"> <div class="quote-author"><em>devil_inside</em> wrote:</div> <p>can msrl choice to use poersistent or non-persistent connection?</p></div> <p>Not implemented.</p> <div class="quote-msg"> <div class="quote-author"><em>devil_inside</em> wrote:</div> <p>how can i make it to establish new connecton to ldap?</p></div> <p>Seems like a patch needed. I cannot promise anything now, but I'll try to look into it; and if I'll do something I'll leave a note here or at <noindex><a href="https://support.process-one.net/browse/EJAB-1480" rel="nofollow" >EJAB-1480</a></noindex>.</p></div> <p>i'd tried again.<br /> now, i think, that it is not ldap problem, it strange rate of connections at all.<br /> when at one moment of time some decades of users try to connect to ejabberd, it takes on approximately 15-18 users quickly and much slowly takes on another users with huge delay between acceptions of connetcions.<br /> why?<br /> i did turn off all max_stanza_size and all shapers in config, but problem persist as in beginning.<br /> what setting in ejabberd server makes connection rate?</p> Thu, 06 Dec 2012 05:51:04 +0000 devil_inside comment 59295 at https://www.ejabberd.im Re: ldap timeouts with using msrl https://www.ejabberd.im/mod_shared_roster_ldap#comment-59286 <div class="quote-msg"> <div class="quote-author"><em>mikekaganski</em> wrote:</div> <div class="quote-msg"> <div class="quote-author"><em>devil_inside</em> wrote:</div> <p>can msrl choice to use poersistent or non-persistent connection?</p></div> <p>Not implemented.</p> <div class="quote-msg"> <div class="quote-author"><em>devil_inside</em> wrote:</div> <p>how can i make it to establish new connecton to ldap?</p></div> <p>Seems like a patch needed. I cannot promise anything now, but I'll try to look into it; and if I'll do something I'll leave a note here or at <noindex><a href="https://support.process-one.net/browse/EJAB-1480" rel="nofollow" >EJAB-1480</a></noindex>.</p></div> <p>some interesting(maybe) information:<br /> today i droped ejabberd some times one by once with ~150 connected users.<br /> with msrll or without msrl quick and fine connected was 24 users (may be, 25)<br /> other users had timeoute in endless connections.<br /> i dropped server 5 times (one time i did reject connections to port 5222 before dropping, unload msrl and wait some minutes and then delete fw rules) and quickconnected users was always ~24-25, and after them server goes to timeoutes from ldap.</p> <p>at last half of test time i did cicle large query (list of all users and attributes) to my ldap server and it answers me always with no delay.</p> Tue, 04 Dec 2012 19:22:52 +0000 devil_inside comment 59286 at https://www.ejabberd.im Re: ldap timeouts with using msrl https://www.ejabberd.im/mod_shared_roster_ldap#comment-59283 <div class="quote-msg"> <div class="quote-author"><em>devil_inside</em> wrote:</div> <p>can msrl choice to use poersistent or non-persistent connection?</p></div> <p>Not implemented.</p> <div class="quote-msg"> <div class="quote-author"><em>devil_inside</em> wrote:</div> <p>how can i make it to establish new connecton to ldap?</p></div> <p>Seems like a patch needed. I cannot promise anything now, but I'll try to look into it; and if I'll do something I'll leave a note here or at <noindex><a href="https://support.process-one.net/browse/EJAB-1480" rel="nofollow" >EJAB-1480</a></noindex>.</p> Tue, 04 Dec 2012 13:46:37 +0000 mikekaganski comment 59283 at https://www.ejabberd.im ldap timeouts with using msrl https://www.ejabberd.im/mod_shared_roster_ldap#comment-59278 <p>we have ejabberd (2.1.11)+ ldap server (communigate) + mod_shared_roster_ldap + ~2100 users.<br /> sometimes ejabberd makes stop it activity (new users can't connect to it with "connection timeout, early connected and logged on users stays working.)<br /> in logs i see </p> <p>=ERROR REPORT==== 2012-11-30 12:52:37 ===<br /> E(&lt;0.19874.8&gt;:eldap_pool:81) : LDAP request failed: timed out</p> <p>=ERROR REPORT==== 2012-11-30 12:52:37 ===<br /> E(&lt;0.19876.8&gt;:eldap_pool:81) : LDAP request failed: timed out</p> <p>=ERROR REPORT==== 2012-11-30 12:52:37 ===<br /> E(&lt;0.19878.8&gt;:eldap_pool:81) : LDAP request failed: timed out</p> <p>(huge list of such messages).</p> <p>where i make stop to mode_shared_roster_ldap, i (next 30 or 90 miinutes!!!) see:</p> <p>=ERROR REPORT==== 2012-11-30 13:03:27 ===<br /> 'mod_shared_roster_ldap_domain.com' crashed: {noproc,<br /> {gen_server,call,<br /> ['mod_shared_roster_ldap_domain.com',<br /> {get_user_displayed_groups,<br /> "j.bubueva"},<br /> 600000]}}</p> <p>(huge list of such messages).<br /> after last of these messages(when _all_ examples of running msrl shuted down), ejabberd is working fine.<br /> when i make start msrl by-hand later, it works fine too to next trouble with timeout.</p> <p>my config of msrl:<br /> {mod_shared_roster_ldap,[<br /> {ldap_user_cache_validity,7200},<br /> {ldap_group_cache_validity,7200},<br /> {ldap_auth_check,off},<br /> {ldap_servers,["10.177.74.3"]},<br /> {ldap_port,389},<br /> {ldap_rootdn,"uid=master,o=domain"},<br /> {ldap_base,"o=domain"},<br /> {ldap_groupattr,"JABBERGROUP"},<br /> {ldap_password,"123"},<br /> {ldap_memberattr,"uid"},<br /> {ldap_rfilter,"(objectclass=CommuniGateAccount)"},<br /> {ldap_filter,"(objectclass=CommuniGateAccount)"},<br /> {ldap_useruid, "uid"},<br /> {ldap_userdesc,"cn"}<br /> ]}</p> <p>i did read a lot of documentation and huge pages of google and (in my current opinion) problem is in method of managing and making connection to ldap server.<br /> seems, i began to think, that msrl uses persistent connection and not all of connection, which it takes, are operational. tuning keepalive timeout on server doesn't solve the problem, our firewall has not set to watch for timeout of connections.</p> <p>my question:<br /> can msrl choice to use poersistent or non-persistent connection?<br /> how can i make it to establish new connecton to ldap?<br /> or what direction i have to take in my searchs to solve this problem?</p> Fri, 30 Nov 2012 11:43:04 +0000 devil_inside comment 59278 at https://www.ejabberd.im Confused. Seems to be working https://www.ejabberd.im/mod_shared_roster_ldap#comment-58909 <p>Confused. Seems to be working now. Must have been what you said about a bad roster. Thanks for everything.</p> Mon, 23 Jul 2012 23:05:05 +0000 ghenry comment 58909 at https://www.ejabberd.im I already gave you the https://www.ejabberd.im/mod_shared_roster_ldap#comment-58908 <p>I already gave you the suggestions. Why should I think you need them this time? Repeating "Use the link to modified version above" sounds annoying and advertising.</p> Mon, 23 Jul 2012 20:50:13 +0000 mikekaganski comment 58908 at https://www.ejabberd.im Maybe the other clients check https://www.ejabberd.im/mod_shared_roster_ldap#comment-58907 <p>Maybe the other clients check this client side but Pidgin doesn't even with a bug in the module.</p> <p>Suggestions for your fix?</p> Mon, 23 Jul 2012 14:13:00 +0000 ghenry comment 58907 at https://www.ejabberd.im